This is the November 2015 issue of the peer reviewed Journal of Physical Security. In addition to the usual editor’s rants about security (and other things), this issue has research papers on single service vs. bundled security, and on social media impacts on emergency response and business continuity.
There are also 4 viewpoint papers. These include a review of the new ASIS International Risk Assessment Standard, an essay on why you should hate security, an editorial on the storage of high-level nuclear waste, and what the Internet of Things and a new IEEE standard for wireless privacy and security may mean for physical security.
18. Journal of Physical Security 8(2), 1-14 (2015)
1
Single Service or Bundle:
Practitioner Perspectives on What Makes the Best Security
Martin Gill and Charlotte Howell
Perpetuity Research & Consultancy International Ltd
11a High Street
Tunbridge Wells, Kent, TN1 1UL
United Kingdom
Abstract
The aim of this paper is to discuss the relative advantages and disadvantages of providing
security services as either a single service or as part of a bundle. It is based on one-to-one
interviews with 72 respondents, 44 from client organizations (and including security and
facilities managers) and 28 suppliers (including representatives from security only providers
and facilities management companies). While there are supporters of supplying security both
as a single service and as part of a bundle, the arguments used to support each are based on
experience and perception rather than evidence. This study is presented as a first step in
identifying key issues that pertain to the deployment/integration of security alongside other
facilities management services. There is a need for more evaluative research.
Key words: security services, bundled services, client/supplier relationships
Context
It has long been recognized that there are different ways of outsourcing and a variety of
frameworks are in evidence (McIvor, 2005; 2008; Varadarajan, 2009) for a variety of
different facilities management services. The motive is often highlighted as an economic
one although this is but one of many possibilities (see, McIvor, 2008; Shekar, 2008); much
depends on the type of outsourcing model being discussed, and there are many. Willcocks
et al. (2007; 2009) helpfully identify four options which they term sole supplier, prime
contractor, best-of-breed, and panel.
• Sole supplier: This is where all the services are supplied by a single supplier,
sometimes considered to be Total Facilities Management (TFM).
• Prime contractor: This is where one supplier is responsible for a contract but
may subcontract where it lacks expertise.
• Best-of-breed: This is where potentially a range of services are managed by the
client.
• Panel: This is where a preferred group of approved suppliers compete for
contracts.
19. Journal of Physical Security 8(2), 1-14 (2015)
2
In reality, there are a variety of ways of classifying services (see also, BIFM, 2007; 2012),
and since outsourcing is complex (see, Nordin, 2006), ‘ideal type’ models often disguise
wide variations and overlaps in practice (see, Oshri et al., 2011; Willcocks et al., 2009b). A
number of key points, though, are in evidence and are relevant to this paper. The first is
that the decision on which model to choose rests with clients (see, Jain and Natarajan,
2011), and at least part of the influence on their decision will be their own capability for
managing the different options (Willcocks and Lacity, 2011; 2012). The extent to which
they understand the potential barriers to implementing their chosen strategy (if they have
one) will have important implications for how successful it is likely to be (Nordin, 2006). A
second issue is that single service provision is typically viewed as less complicated, and
that the scope for outsourcing in some sort of bundled way comes with experience and
requires greater expertise (BIFM, 2007; Willcocks et al., 2009), not least in turbulent
environments (Momme and Hvolby, 2002). Third, the scope for moving to some type of
bundled provision depends in part on expertise emerging amongst suppliers (Oshri et al.,
2011; Feeny et al, 2005; Willcocks and Lacity, 2009).
Fourth, there are a range of advantages and disadvantages of different models in
different sectors, albeit that many of these are not tested by independent research (see,
BIFM, 2007; Willcocks et al., 2007; Willcocks et al., 2009; Interserve and Sheffield Hallam
University, 2012). Indeed, some evidence suggests that not only will the effects of
outsourcing be different for different functions, but that there is a danger that internal
skills and knowledge that are lost by outsourcing will need to be meditated by effective
management strategies (Agndal and Nordin, 2009). Fifth, there is a lack of research on the
pros and cons of different models in different facility management service areas. Both
security management (Gill, 2014) and facilities management (Drion et al., 2012) are
relatively new areas of study where the body of knowledge about what works and what
doesn’t is still evolving. Indeed, despite research on the outsourcing of various areas of
facilities management, such as business processing (Whitaker et al., 2010); engineering
(Burdon and Bhalla, 2005); information services (Petry-Eberle and Bieg, 2009); and
property management services (Yam, 2012), there has been little research on security
services (but see, Hassanain and Al-Saadi, 2005). It is against this background that our
research took place.
The aim of this study was to identify practitioner perspectives on the relative merits of
single service as opposed to bundling in one specific area that has received very little
coverage in the facility management (FM) literature, that of security. The word ‘security’ in
practice covers a wide variety of activities that often bear little relation to each other (for
example locksmithing, security guarding, alarm installation). There is a tendency to
discuss security in terms of personnel services (such as manned guarding and close
protection) and technical services (such as alarms and CCTV), the approximate equivalent
to soft and hard facilities management. (For a discussion of the security sector, see Gill,
2014.)
The approach in this work was to identify and interview a wide range of individuals
using the different models in practice to help understand the key issues involved in single
service and bundling (these terms will be defined later in this paper) which involves
20. Journal of Physical Security 8(2), 1-14 (2015)
3
security. A snowball sampling strategy was used. This involves using contacts and word of
mouth to identify relevant people to take part in the study. An advantage of this method is
that it allows access to members of the population who may be difficult to identify and
engage by other means. Moreover, it allows for potentially more valuable responses, as
those taking part are more likely to be knowledgeable about the research. Indeed, one of
the early findings was that knowledge about the benefits and drawbacks of providing single
service or bundling security was not clear-cut. Against this, however, snowballing is a non-
random form of research sampling and it is therefore unlikely that the sample is
representative of the total population, which should be kept in mind. The interviews
typically lasted thirty to sixty minutes, and semi-structured interview schedules were used.
An advantage of a semi-structured schedule is that it gives the flexibility for interviewers to
probe the issues raised.
A total of 72 individuals took part in telephone interviews, mostly from the UK, but also
from Australia (7), Canada (4), Europe (3) and a respondent working in the Middle East.
Table 1 provides further information on the role of individuals taking part.
Table 1: Breakdown of interviewees (n=72)
Clearly, the sample was not intended to be representative, rather we sought to engage
participants who were involved in different aspects of security—both single service and
bundled—to better understand the pros and cons of different types of security service
purchase and delivery. It provides a foundation on which further studies may build.
Findings
Thinking about terminology
One of the early findings was that there remains widespread confusion in the
terminology used (see, Varadarajan, 2009). This included what was meant by single
service, since some referred to a type of security as single service (say manned guarding)
while some companies offering a variety of different services (including personnel and
technical) considered this a single service because it was all related to security, when in
Interviewee Type N
Clients (n=44) Security Managers 27
Facilities/Property Managers 14
Consultants 2
Procurement Specialists 1
Suppliers (n=28) Bundled service provision 10
Single service provision 9
Combination of bundled and single service provision 7
Advisory role 2
21. Journal of Physical Security 8(2), 1-14 (2015)
4
fact it is best described as ‘bundled security’. Indeed, it was possible to identify the
following types of security delivery that do not fit easily into the four categories noted
above:
• in-house: security provided in-house
• single service security: just one type of contract security provided
• bundled security: different types of contract security provided
• single service security supplied with a limited number of FM services
• bundled security supplied with a limited number of FM services
• single service security supplied with all other relevant FM services
• bundled security supplied with all other relevant FM services
• single service security supplied with a limited number of FM services with
integration between them
• bundled security provided with a limited number of FM services with integration
between them
• single service security supplied with all FM services with integration between
them
• bundled security provided with all FM services with integration between them
This list reflects the somewhat complex array of arrangements that exist. Moreover,
there was a belief that the further down the list one reads, the more complex the delivery.
Just to add to this, sometimes there was a mixture of delivery approaches across sites or
countries. In this short paper, it is not possible to examine the different risks and
opportunities these arrangements present—a laudable aim though that would be. Rather,
the focus here is to compare the relative merits of offering security on its own (whether
single or a security bundle) compared to security combined with other FM services. The
focus has been on other facility management services, but of course security is sometimes
provided alongside an even broader range of services such as those focussed on safety and
emergency management, such as managing natural disasters; this provides another
potential field of enquiry.
The case for bundling security
There were three overarching reasons why clients and suppliers said they favored
bundling. The first and most widely commented upon was that it offered cost savings for
clients. There were a number of dimensions to the ways in which these could be achieved.
Some noted there were lower overheads, which resulted from such factors as having to
deal with fewer contracts (and under Total Facilities Management [TFM] or Integrated
Facilities Management [IFM] models a single point of contact); less insurance and legal
costs; having to manage fewer invoices and be involved with fewer accounts teams and
such. Some argued that there was a need for less management and supervisory personnel
in the contracted service, and others noted that as a consequence, there was less need for
oversight in the client organization when services were managed collectively. Thus:
22. Journal of Physical Security 8(2), 1-14 (2015)
5
Sometimes (we) bundle security with facilities management, security
and cleaning … That brings economies of scale … in the management,
one account manager managing both.
Senior Regional Facilities Manager, Property Management
Straight away you will get economies of scale, you won’t be getting
margin on margin or management on management.
TFM Director, Facilities Management
Reducing the number of contractors also meant that the profits each individual supplier
had to make could be consolidated; a supplier involved in offering a range of services
would be more amenable to reducing its profit margins in return for a larger slice of the
available business. Some noted that in a bundle, one service might be charged out at cost in
order to generate a profit in other areas, and at least one supplier had this under
consideration. Manned guarding was seen as a prime contender here because the margins
were so slight that some wondered whether there was a viable future for a single manned
guarding service in the mass market in the absence of a change in buyers’ behavior.
A second point, and one that implied cost savings but accrued other benefits was the
opportunity that bundling provided for improved management practices. Some here
pointed to the benefits of instilling a specific corporate style to the provision of services
across sites, which becomes especially possible with one or fewer suppliers. In a different
way, bundling was perceived as being good for facilitating cooperative working, and this
had a number of dimensions. The opportunity to avoid the restrictions implicit in a silo
mentality was considered important by providing a platform, via joint management, of
encouraging service lines to work together where appropriate. There has been a major
emphasis in recent times in various types of collaboration with a range of buzz words to
depict various types of co-operation including integration (BSIA, 2007; De Toni and
Nonino, 2009), convergence (Hunt, 2010; Willison et al., 2012), and partnerships (Prenzler
and Sarre, 2012; Yang and Wei, 2012) to name but a few. Amongst both buyers and
suppliers, there was widespread agreement that there was confusion about what these
terms meant, but for the purposes of this study, the fact that some type of collaboration
was typically a good thing as far as effective security was concerned generated support for
bundling.
On the people side, integration typically involved multi skilling individuals, or at least in
engaging them with a more varied set of duties. This was seen as an opportunity to build
teams with different service lines supporting each other. It provided more varied work for
staff, enhanced their commitment and reduced turnover. This applied to management, too,
in being able to take on new opportunities with greater responsibility than might
otherwise exist. And on the technology side, a number of suppliers (in particular)
identified the potential for systems to provide for better integration, and specifically for
security systems to enable the better functioning of other systems, more cost effectively
and with more benefits than if the services were provided separately. Moreover, it was
argued that the integration of technological systems, security with non-security, and
security technology with security people facilitated innovation. For suppliers, this was
23. Journal of Physical Security 8(2), 1-14 (2015)
6
especially important. Many lamented the growing power of procurement within
organizations, which was seen to drive prices and profits down. Some felt that the only
way margins could be protected was by being afforded the opportunity to combine
technology with manpower.
(There are) economies of scale in teams helping out in other areas, multi
– cross skilling, if done right, with the right training and skills (means
you can) utilize labor better.
Security and Operations Manager, Event Centre
Cleaners can be on the look out for any problems and help reduce crime
by noticing who should not be in places … On the security side, guards
pick up papers as they walk around.
General Manager, Security, Shopping Centres
There was a third major influence behind the move to bundling, and that was the
growing expertise of both clients to understand their needs and develop a bundled
response, and of suppliers to deliver a range of services under one umbrella. Indeed, some
clients noted that they had been drawn to bundled services by developments in the
supplier market, and interestingly, some interviewees from overseas (and especially
outside major conurbations) lamented the lack of multi service providers to meet their
needs. One client noted:
Actually, opportunity is the biggest factor here. I have a provider able
to provide the solution that drives this largely, and were my contractor
not providing this solution, we wouldn’t have adopted it.
Head of Security, Bank
Security providers were one-trick ponies, just [offering] guards or
cameras or intrusion alarms. [Now] more and more companies are
becoming a bit of a supermarket, they are moving from [being a]
specialism to [a] master of [all] trades. So it makes sense: one source for
all or most of services required.
Security Advisor, Energy Provider
Bundling was rarely argued to provide a better quality of security delivery than single
service, however, suggestions that quality would be sub-standard in a bundle were refuted;
proponents of bundling argued that a good procurement process and effective
management can ensure that the quality of service provision is maintained. It was also
noted that bundling could facilitate the standardization of processes which improved
efficiency and helped to ensure consistently high quality delivery.
The Case for Providing Security Single Service
A major reason why single service was advocated was because it was viewed as a ‘best in
class’ service. This was enabled by security being provided by a specialist security
24. Journal of Physical Security 8(2), 1-14 (2015)
7
company and by the service, often the management, not being ‘diluted’ by the engagement
of non-security specialists. Some corporate security managers felt that by first outsourcing
and then by placing a Facilities Manager in charge of a company they lost direct control of
security operations. This was not always the case; it in part depended on how it was
structured and the skill sets of the facilities manager’s point of contact. Some corporate
security people saw advantages in security being accountable to operational business units
rather than them personally, but for many, the distancing of oversight was viewed as a
further dilution of security expertise. Some typical comments on this issue from both
buyers and suppliers included:
I have to say that from a security operational perspective … I see
potential for compromise on security delivery and degradation of
security … The drive for incorporated FM into a single contract is due to
cost, not security efficiency.
Head of Security, Telecommunications
I was trying to raise security standards but in an FM bundle there is no
focus on one service—jack of all trades—you don’t get the buy-in on
what you are trying to achieve. I think things have moved on—some
reputable companies have been bought out by FM and try to keep (the)
specialism but you see them start to be eroded by the FM.
Head of Security, Finance Company
Security is a specialist business and it needs a security expert and if you
don’t value security as a specialist skill, then you won’t value us as a
security expert.
Chief Executive, Security Company (security only)
A FM manager has a different outlook, so his priority is almost certainly
not security. Plus that manager may not have security experience first
hand so may not have a good idea of risk management.
Regional Security Director, Manufacturer
A second reason why some said they preferred single service was because it led to
management efficiencies. Some saw managing the link between security and other facility
management services, not least where it involved anything approaching integration, as a
complex one. Some suppliers noted that finding good partners was often a challenge, and
finding staff that could multi skill (or wanted to) was a challenge. One supplier manager
felt that the opportunity to manage a multi skill team had enabled him to develop
personally and provided a welcome career fillip, but felt that many others would not feel
the same. Moreover, it sometimes meant a dilution of services, as staff were asked to take
on additional duties or be deployed in ways that rendered security less of a priority and, at
least, involved less focus on security related tasks. In a different way, management of
single service was seen to be easier in general because there was a longer tradition of this
type of delivery and specifically because there was a direct relationship between the
corporate security manager and the security supplier. Some lamented that with suppliers
25. Journal of Physical Security 8(2), 1-14 (2015)
8
of multi services, there was a tendency to subcontract some services, and there was always
the danger that this might result in a poorer quality service especially if they were focused
more on costs than quality, and subcontracting the service area in question was not their
specialist expertise. Furthermore, some were against employing one company to
undertake a variety of roles, and that was because it entailed ‘putting all your eggs in one
basket’; in short, this amounted to poor risk management. Finally on this issue, some
clients admitted that they were not geared up for anything other than single service, and
some suppliers in order to promote their security expertise, were keen to steer clear of any
type of service that was not their specialism and in which they were not experts:
We use different suppliers for guards, and the contractor who does
systems is different contractor and different again for fire. We go with
the experts, rather than find a one company fits all.
Senior Manager, Facilities, Medical Systems Company
There are merits for buying security alongside waste, cleaning, but we
had separate companies. The risk of one company doing it all, is that
they generally try to subcontract and so you don’t know what you get.
But it is cheaper. Specialists really know more about the topic.
Operations Services Manager, Blood Service
A third reason why some buyers and suppliers stated they preferred single service over
bundling was because it was more cost effective. They were rarely referring to the price
paid here, more in relation to the risks involved in leaving security to a non-specialist
company, or overseen by non-security experts noting that the consequences of a security
failure can cause unlimited reputational damage and result in lasting and even devastating
consequences for the client. It was noted that security experts are better placed to monitor
the changing risk landscape and keep abreast of new measures and different ways of
working as they evolve. Single service suppliers in particular also noted that cost savings
that are perceived to come with bundling could in fact often be achieved by looking at
security holistically and relating mitigation measures to risk, and looking imaginatively or
innovatively at the use of people and technology. Some argued that this not only avoided a
dilution of security, it also afforded an opportunity for clients to make cost savings and
suppliers to protect margins:
There is a perception that bundled brings huge cost benefits, because it
takes away the inefficiencies of multiple managers, sharing back office
resources, economy of scale etc. This is a misconception because on
larger contracts, if the customer works with you, you … can save cost on
single if provider works innovatively with customers.
MD, Security Company
The points that those favoring single service made was that it protected the organization
from a dilution of expertise, and suppliers especially promoted the case that if done so
imaginatively could be achieved cost effectively and generated management efficiencies.
26. Journal of Physical Security 8(2), 1-14 (2015)
9
Suppliers in particular felt the benefits of co-operation implicit in bundling can also be
achieved by ‘partnerships’ and ‘joint working arrangements’ without diluting expertise.
The point is more important than saving jobs; it was argued that both the status and the
effectiveness of security in organizations is enhanced where there is a security specialist or
expert on both the buyer and supplier side.
Determining the Strategy and Whether it Works
While it has long been recognized that there can be a variety of influences on strategy
(see, Burdon and Bhalla, 2005), in this study, 7 key factors emerged as important. First was
the policy of the organization towards outsourcing, and whether there was a well
developed strategy that guided policy (see, Nordin, 2006). Some companies had a way of
providing services dictated or directed from the center, and this meant there was a
reference point for how things should be done, although it seems that most often, even
where a strategy/policy did exist, it was flexible (at least as far as security was concerned).
Second, some clients recognized that they were only geared-up for single service, and
others felt they had developed sufficiently to bundle security. The skill sets of the client are
crucial. A third factor was the skill sets of the suppliers and, as noted above, some clients
were led towards bundling (both of security and with facilities management) by the
competence of suppliers, and some refrained from heading this way because of what they
saw as the lack of availability of services to meet their needs in the market. Others had
tried bundling and stopped because the service levels were short of their requirements.
Where there was a single point of contact—a key benefit of bundling—the competence of
that contact could characterize how it was perceived. It is important to note that there are
a range of features that combine to make bundling work, including the ability to multi skill
or integrate, the ability to find staff including managers who can multi skill and keep them,
and to structure the business so that internal competition does not undermine
collaboration.
A fourth key factor was the status of the head of the security function, and not least his or
her relative status to that of the head of facilities management and procurement. Where
security was of a lower status to facilities management, it would often (but not always)
reflect an emphasis on bundling compared to single service in outsourcing arrangements.
The role of procurement was generally seen to have a major impact, and where
procurement was seen to be of a higher status, which is not unusual (Gill and Howell, 2012)
then that could lead to a greater emphasis on cost rather than quality. A fifth factor,
somewhat following on from this, is the importance of security to the organization. There
was a tendency for security to be provided as a single service where it was crucial to the
organization, perhaps because of regulatory requirements or because of persistent or
serious threats. A sixth factor was the role of security within an organization. Some
suppliers, who favored single service noted that they did not see bundling as a problem
where there was some form of accountability to, or second best, engagement with a
security specialist in the client organization. Many suppliers and some security experts felt
the quality of security was diluted where there was a break in the link between internal
security and security contractor. A seventh and final point, was the nature of the contract
27. Journal of Physical Security 8(2), 1-14 (2015)
10
and whether the focus was primarily on delivering an excellent service or on reducing costs
to the maximum extent.
The findings revealed a clear tendency for corporate security directors to favor single
service and facilities managers to favor bundling. On the supplier side, specialist security
companies generally favored single service and facility management companies bundling.
Although this was to be expected, it was not a hard and fast rule. Similarly, there was a
tendency for clients and suppliers to highlight different features. So while clients said they
favored bundling because of cost savings, efficiencies in delivery, the growing competence
of the market, and the opportunity for standardization across sites, suppliers focussed on
cost savings, followed by innovation, the benefits of multi skilling staff, and the
opportunities for technology. This evidence would suggest that there was more to be done
to bring clients’ attention to potential benefits. With regards to single service, clients
highlighted the value of security as a specialism which should not be diluted, the greater
ease and experience of managing single service (in providing a more efficient form of
management and a less risky one), and in saving costs in terms of incurring less risk.
Suppliers largely agreed, also noting that a focus on security as a specialism additionally
protected internal jobs.
Discussion
Security is but one element of facilities management. When asked whether security was
different in any way to other services, answers reflected the relative importance of security
to the organization. Some felt it was just the same. Where it was different, it was noted
that it was regulated (in some countries at least), was a 24-hour requirement (in some
cases), and that if it went wrong, it could lead to catastrophe. Others noted that security
staff not turning up for work would be less noticed by staff than caterers not providing
food, or the air conditioning or company server not working; in short, it varied. And
security covers a wide variety of activities. On the technology side, integration is less
intellectually problematic to understand (although in practice it is far from commonplace),
but the integration of people represents a real challenge, which only some claim was
managed effectively.
Certainly the arguments presented in favor of single service, principally that it is best in
class, are being challenged by those facilities management providers who believe that multi
skilling and integrated services offers a better form of security. On the other hand, the
claims of supporters of bundling that it is more cost effective is challenged by single
providers who argue the real costs of increased risks and the opportunity for more efficient
ways of working offer an alternative perspective. The inclusion of different types of
security services in bundling arrangements is not new, but it has received relatively little
attention. Although some interviewees claimed that they had noticed a trend towards
more bundling over single service, the research approach taken meant that this needs to be
substantiated by future studies. However, if it is true, it raises the question as to whether
this reflects a structural change in the way services are delivered or is more cyclical and a
reflection of the current priorities clients are attaching to cost over risk in choosing how
28. Journal of Physical Security 8(2), 1-14 (2015)
11
security is provided. The evidence from this study highlights the lack of a common
language to describe outsourcing arrangements, and the paucity of evidence to support
arguments for and against different options; there has been little independent evaluation of
the claims being made. The aim of the research was not to develop a fact-based model to
guide decision-making, a laudable aim though that would be. Hopefully this study has
provided a more informed foundation for assessing the implications and potential
effectiveness of different models of security service delivery. The benefits and drawbacks
of different service options seem finely balanced and need to be better understood if
organizations and suppliers are to combine to provide the most effective security.
References
Agndal, H. and Nordin, F. (2009) ‘Consequences of outsourcing for organizational
capabilities: Some experiences from best practice’, Benchmarking: An International Journal,
Vol. 16:3, pp. 316-334.
British Institute of Facilities Management (2007) The Good Practice Guide to FM
Procurement, Redactive Publishing Limited.
British Institute of Facilities Management (2012) FM Categories
(http://www.bifm.org.uk/bifm/knowledge/resources/Categories).
BSIA (2007) A Guide to Integrated Security Management Systems, BSIA.
Burdon, S. and Bhalla, A. (2005) ‘Lessons from the Untold Success story: Outsourcing
Engineering and Facilities Management’, European Management Journal, Vol. 10:5, pp. 576-
582.
De Toni, A.F. and Nonino, F. (2009) ‘The Facility Management: Non Core Services
Definitions and Taxonomy’, in De Toni A.F., Ferri A., Montagner M., Open Facility
Management: a New Paradigm for Outsourced Service Management, pp. 3-28, MILANO:
IFMA.
Drion, B., Melissen, F. and Wood, R. (2012) ‘Facilities Management: Lost or Regained?’,
Facilities, Vol. 30:5/6, pp. 254–261.
Feeny, D., Lacity, M., and Willcocks, L. (2005) ‘Taking the Measure of Outsourcing
Providers’, MIT Sloan Management Review, Vol. 46:3, pp. 41-48.
Gill, M. (ed) (2014) The Handbook of Security: Second Edition, Basingstoke: Palgrave.
Gill, M. and Howell, C. (2012) The Security Sector in Perspective. Leicester: Perpetuity
Research.
31. Journal of Physical Security 8(2), 1-14 (2015)
14
the second edition of the 'Handbook' of Security' which was published in July 2014. Martin
Gill is a Fellow of The Security Institute, as well as a member of the Company
of Security Professionals (and a Freeman of the City of London). He is a member of both
the ASIS International Research Council and the Academic and Training Programs
Committee and a Trustee of the ASIS Foundation. In 2002 the ASIS Security Foundation
made a ‘citation for distinguished service’ in ‘recognition of his significant contribution to
the security profession’. In 2009 he was one of the country’s top 5 most quoted
criminologists. In 2010 he was recognised by the BSIA with a special award for
‘outstanding service to the security sector’. In 2015 IFSEC placed him in the top 10 most
influential fire and security experts in the world.
Charlotte Howell is Research Manager at Perpetuity Research. She has conducted a wide
range of projects on crime and security including consulting with offenders, victims,
security professionals and the police. Charlotte also manages the running of the Secured
Environments accreditation—a police accreditation run by Perpetuity Research on behalf
of the Association of Chief Police Officers. Charlotte holds a first class LLB (Hons) in Law
and an MSc in Criminology.
32. Journal of Physical Security 8(2), 15-36 (2015)
15
How Social Media is Transforming
Crisis Management and Business Continuity
Gerald D. Curry, James J. Leflar, Marc Glasser, Rachelle Loyear,
Briane Grey, Tim Jordan, Leonard Ong, Werner Preining, and Jose Miguel Sobron*
ASIS International Crisis Management and Business Continuity Council
Key Words-
Social media, emergency operations, crisis management, emergency management, disaster
Terminology-
Social Media: an aggregate term for networking sites, messaging sites, texting, and other
web-based or mobile technologies that support social interaction. Examples include
Facebook, YouTube, Twitter, Instagram, Google+, LinkedIn, Plus, Tumblr, email, etc.
Emergency Operations: this term was selected to encompass the many similar terms
such as emergency management, crisis management, business continuity, disaster
management, disaster recovery, and emergency planning. The differences between these
terms is often discipline- or industry-driven, but the differences do not justify using all of
the terms when describing emergency operations. Emergency operations are the
managerial functions charged with creating the framework that helps organizations,
communities, and individuals reduce vulnerability to hazards, and cope with disasters.
___________________________
* All of the authors are active members of the ASIS International Crisis Management and Business
Continuity Council. This study, conducted as a Committee project of the Council, was unfunded and
is free of any known conflicts of interest.
The American Society for Industrial Security (ASIS) International is a prominent professional
security organization with Chapters and Councils. The Crisis Management and Business Continuity
Council promotes crisis management, business continuity, and organizational resilience standards
and best practices worldwide. More information about ASIS International is available at
https://www.asisonline.org/Pages/default.aspx.
Author affiliations:
Gerald D. Curry, DM, Environmental Management Office, Safeguarding and Security, Department
of Energy.
James J. Leflar, Jr., MA, CPP, CBCP, MBCI, Senior Physical Security Consultant, Zantech IT Services.
Marc Glasser, MS, CPP, Managing Director, Resilience Management LLC.
Rachelle Loyear, MBCP, MBCI, PMP, Enterprise Director, Business Continuity Management, Time
Warner Cable.
Briane M. Grey, Senior Vice President, Director of Corporate Security, City National Bank.
Tim Jordan, B.A., AMBCI, Senior Consultant, Automation Consulting Group, GmbH.
Leonard Ong, CPP, ASIS International Information Technology Security Council.
Werner Preining, CPP, ASIS International, Chapter Chairman, Austria Chapter 107.
Jose Miguel Sobron, Department of Safety and Security, United Nations.
33. Journal of Physical Security 8(2), 15-36 (2015)
16
Abstract
The purpose of this paper is to investigate social media usage in crisis management
planning, response, and recovery activities. Social media usage during an emergency event
to gather immediate information has been demonstrated as an alternative when traditional
forms of communication have been less effective. Most of the messages transmitted using
(or through) social media are from non-traditional media sources, and the medium has
become an expected source for traditional news agencies, as every cellular smart device
user in the world has the potential to be an information broadcaster. This research survey
explores the role social media is having on crisis management for security professionals.
Survey participants consisted primarily of ASIS International members.
Introduction
Social media is being leveraged across global disciplines or industries, and according to
an overwhelming majority of ASIS International security professionals who participated in
this study, an established practice has been laid in emergency operation planning. The
purpose of this paper is to explore and report the varying means by which social media is
being used by practicing professionals for generating alert messages, confirming personnel
and other asset accountability, and keeping key stakeholders—including the general
public—informed on crisis events.
This study uses a mixed methods (quantitative and qualitative) research design to
analyze the survey results. The qualitative section of this paper identifies thematic topics
that point to the depth of social media frequency and the quality of its use. Several
questions were asked of 154 participants who confirm their acceptance of this tool as an
information channel. Additionally, the survey addresses the future of how social media will
be used to help security professionals achieve their protective responsibilities.
This paper uses a traditional research model and format in discussing the highlights of
the survey. The qualitative section sets the foundation for this paper, as the survey
participants help the reader to better understand the reasons and rational of “how” and
“why” social media is being incorporated into emergency management, including
preparedness and mitigation planning. The data collected are rich in critical information
for discovering new social media techniques as it pertains to contingency operation
planning, and for determining the depth to which social media is currently being utilized.
The qualitative research methodology offers the opportunity to review the data from a
shared perspective, by reducing limits and potential research barriers.
We did not develop a particular theory, but rather offer security-practitioner
perspectives on how social media is being utilized in emergency management.
Additionally, the results will reveal how social media is being used throughout the
emergency operations industry by expediting alert messaging. This study offers new
insights on the tremendous possibilities for the use of social media platforms in emergency
management.
34. Journal of Physical Security 8(2), 15-36 (2015)
17
The quantitative section of this paper summarizes the depth of this study by reviewing
the strength of social media’s application in real world scenarios. However, it was not
enough to gather data on whether or not social media is saving lives. Also needed was an
examination of how is it being used, and at what frequency. These questions were all
important, and helped to direct the research to a stronger, more applicable conclusion.
The sample size for this research was 154 participants. The majority of participants
were ASIS International members. This study provides an in-depth description of the
social media domain within the dealings of these security professionals.
This study leverages quantitative methods to determine statistical results and qualitative
research to explore social media’s usage, in hopes of developing a comprehensive
understanding. We hope this study will serve to inspire future studies on this subject.
Our study divided the analysis of questions into qualitative and quantitative in order to
explore the full spectrum of inquiry. Social media has received significant societal
attention. Social media has also completely changed the way people engage one another
and. more importantly, how businesses connect with potential clients and customers.
Social media has become the one common denominator that the world’s citizens
understand and use on a daily basis. The preferred online applications may change from
country to country, but the basics of being able to reach mass numbers of people quickly
has been accomplished through social media.
Purpose of the Study
The purpose of this study was to document established ASIS International security
professionals’ social media processes, identify frequency of social media use, and help
provide a global perspective to improve contingency operations. Additional research
opportunities are identified later in this paper; these will lay the foundation for security
professionals to identify and potentially benefit from further social media benefits
applicable to security professionals worldwide.
Social media has rapidly become a societal norm (Kaplan, 2012), and it is important for
security professionals to assess its use. The Department of Homeland Security’s Federal
Emergency Management Agency (FEMA) reports that, “Social media is a new technology
that not only allows for another channel of broadcasting messages to the public, but also
allows for two way communication between emergency managers and major stakeholder
groups.” (FEMA, 2015, paragraph 1). The social media technology is still considered to be
in its infancy and thus requires dedicated exploratory research.
This study examines the utility of social media in emergency management by security
professionals, so industry leaders can predict its current and long-term applicability. Often,
new technology comes and disappears just as quickly as it arrives. Social media seems to
be significantly different; this study concludes that many security professionals around the
world are using some aspect of social media for emergency notification, keeping
35. Journal of Physical Security 8(2), 15-36 (2015)
18
stakeholders engaged, and making critical documents more accessible. Our study aims to
expand the conversation on social media being used in emergency management.
Literature Review
There is an enormous amount of literature on social media and its increased utilization in
emergency management. This study leveraged the closest and most relevant resources to
expand the narrative pertaining to this important topic. The survey was used to better
understand and identify the professional pervasiveness of the platform, assess if the tools
are embedded in current policy, and explore future possible applications of social media.
The literature used in this study aims to better understand these three tenets, and confirm
the research results.
Kaplan (2012) offers an overview in his “Social Media In Emergency Management: A
Quick Look,” and suggests social media can be used as a means for public service
announcements, a dependable resource for information for emergency responders, and can
provide immediate feedback for all stakeholders through its crowdsourcing capabilities.
Additionally, Kaplan (2012) validates the fact that social media has quickly become the
subject of vigorous academic and professional studies. In fact, FEMA Administrator Craig
Fugate uses his Twitter application to converse with industry professionals and the general
public.
Su, Wardell, & Thorkildsen (2013, page 1) in their work simply titled, “Social Media in the
Emergency Management Field, 2012 Survey Results,” announces that “…76% of adults
responding to a 2012 American Red Cross survey expected help to arrive in less than three
hours if they post an emergency-related request on social media.” The study solidifies the
fact the public has a psychological expectation that once they post an emergency message
in social media, the official authorities will acknowledge it and respond appropriately. Su,
et al. (2013) shares the finding that social media has created an expected demand by the
public, and an additional platform for emergency management professionals.
One critical question this survey asks is, “How knowledgeable are emergency
management agencies regarding social media?” In Su, et al. (2013, page 2) the researchers
do not stop there however; they continue to examine the issue by identifying the
governance, technology, data/analytics, and processes that must be used to fully embrace
social media.
DHS (2012) uses their “Next Steps: Social Media for Emergency Response, Virtual Social
Media Working Group and DHS First Responders Group,” to navigate the future of social
media in emergency management. The DHS report recognizes that many United States
government officials are turning to social media technologies to share information and
connect with citizens during all phases of a crisis. In response to the global attention social
media has drawn, the U.S. Department of Homeland Security’s Science and Technology
Directorate (DHS S&T) has established working groups to provide guidance and suggest
best practices for emergency preparedness and the response community. The DHS study
concludes by highlighting six steps DHS needs to focus on: (1) Choosing the right
36. Journal of Physical Security 8(2), 15-36 (2015)
19
technology and application; (2) Developing strategy, policy, and procedures; (3) Setting
and managing expectations; (4) Engaging the community; (5) Managing misinformation;
and (6) Addressing challenges to adoption, including concerns related to privacy, public
comment, record retention, public disclosure, health information, human resources,
information technology, and security.
The USDE/REMS (2013) presentation accurately sums up the progress made to protect
school children and teachers. The presentation provides an understanding of the benefits
and challenges associated with employing social media in school crises. It builds on the
traditional four phases of emergency management: prevention-mitigation, preparedness,
response, and recovery. The presentation notes that in the aftermath of the Columbine
High School shooting, and other horrific events that have occurred, social media use is
gaining traction. The presentation confirms that 96% of young adults ages 18-29 own a
smart device of some kind, and 73% of online teens (age 12-17) use social networking
sites. The report highlights the fact that teens from lower income families are more likely
to use online social networks (4 in 5).
Lindsay (2011) starts his discussion by confirming that social media is playing an
increasing role in emergencies and disasters. His report cites research from Information
Systems for Crisis Response and Management (ISCRAM) and the Humanitarian Free and
Open Source Software (FOSS) Project, both groups that are exploring related linkages. The
author shows how social media is being used in one of two ways: first, to disseminate
information and receive feedback, and second, as a systematic tool to conduct emergency
communications, such as issue warning messages, receive victim requests for assistance,
monitor activities, establish situational awareness, and create damage estimates. Social
media has created a broad platform for emergency management professionals. Lindsay’s
report summarizes how social media is being used by management officials.
Hiltz, Kushma, and Plotnick (2014) offer a very unique opportunity of semi-structured
interviews of U.S. public sector emergency managers to determine the use, and potential
barriers to using, social media. They point out three barriers to social media use, which are
(1) a lack of personnel time to work on social media, (2) a lack of policies and guidelines,
and (3) concerns about trustworthiness of collected data. While these barriers or
challenges are very real, social media usage continues to grow to epic proportions.
One significant point Hiltz, Kushma, and Plotnick make is that even with the millions of
people who are flocking to social media sites, the government has yet to establish an
emergency management platform. Additionally, they cite Kavanaugh (2012) who reported
that social media is not being used in a particularly thoughtful or systematic way (Hiltz,
Kushma, & Plotnick, 2014, page 602). The Hiltz, Kushma, and Plotnick (2014) study
focuses solely on two important questions: (1) what problems or barriers do these
managers perceive in terms of using social media, particularly for gathering and acting
upon real-time disaster posts in them?; and (2) what is their reaction to several potential
types of tools that might enhance their use of social media? This research concludes that
the lack of trained personnel is the primary reason the government has not fully embraced
social media (Hiltz, Kushma, & Plotnick, 2014). This technology is dependent on
37. Journal of Physical Security 8(2), 15-36 (2015)
20
professional security managers and leaders who have the technical know-how to enhance
operations internally, externally, and with key stakeholders.
Methodology
The ASIS International Crisis Management and Business Continuity Council (CMBC)
developed a 17-question survey and received answers from 154 security professionals
from across the globe who occupy security positions in federal, state, local, and private
company positions. See the Appendix for the survey questions. The web-based survey was
available from July 6 to September 1, 2014, via Survey Monkey. The survey team published
the link to CMBC members, who in turn shared the link with ASIS Chapter members and
business colleagues who are associated with ASIS International.
We believe the survey received a fairly wide distribution within the limited ASIS related
population, but there is no indication of the total number of recipients. We estimate at
least several hundred recipients, and likely many more. The recipients and participants
had some relationship to ASIS International, either as members or as professional
colleagues of the research team, but there is no way to know the identities of the
participants. The participants were anonymous, and the survey was completely voluntary.
Participants were assured that any personal identifying information they provided would
be kept confidential, and the final responses would be presented in aggregate form. We
cannot make any claims concerning the participant’s representativeness of security
professionals within a general population.
The participants consisted of 118 ASIS International members and 35 non-members. It
should be noted that the 35 non-member participants who engaged in the study are
security professionals, just not members of ASIS International. Approximately 91.9% of the
participants have been members of ASIS International for over five years, and 100%
actively worked in a security or crisis management position as their primary profession.
Interestingly, 58.3% held a professional certification such as the Certified Protection
Professional (CPP), Certified Business Continuity Professional (CBCP), Master Business
Continuity Professional (MBCP), or Certified Emergency Manager (CEM). 59.3% described
their profession as security (non-data). This classification of security becomes interestingly
important because it is used as an umbrella term, and translated to capture several security
disciplines. Almost all participants held some level of college education, 84.2% held a
bachelors, masters, or doctorate degree.
The qualitative section asked 5 open-ended probing questions to better understand the
progress that has been made in emergency operations by adjusting to the society demand
for social media. These questions very purposefully explored the depth of each
participant’s professional involvement, including their participation in drills and exercises
that leveraged social media. As with any survey, some participants failed to answer all
questions, so we cannot determine or remark upon their responses to those questions.
Several themes were garnered from the written responses that were provided, and these
will be discussed in the next section.